Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack This Log

Started by alton3692 , Dec 11 2005 05:00 PM

  • This topic is locked This topic is locked
10 replies to this topic

#1 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 11 December 2005 - 05:00 PM

Started with Google finding results for searches but when clicking a topic it would take me to another search site and not the selected topic. I removed the Google Search bar from my IE. Series of very large icons appear on the desk top when entering computer. Casion, Get a Date, etc. Found sites in Favorites on IE that I had not chosen, mortgage and sex sites, deleted them.

Today I ran Spy Bot Search and Destroy and it found nothing. I ran Adaware and it found 29 problems and deleted them. It did not fix problem.

I run Symantec Virus and it runs daily. Today not at a scheduled run, it posted a popup that said:

File: C:\System Volume Information\_restore(B37680B2-BA0A-4E5D-BF30-
83E44C588624)\RP941\A0111183.exe
Location: C:\System Volume Information\_restore(B37680B2-BA0A-4E5D-BF30-83E44C588624)\RP941
Computer: D4R8JZ21
User: System
Action Taken: Clean failed : Quarantine failed : Access denied
Date Found: Sun Dec 11 14:39:20 2005

Logfile of HijackThis v1.99.1
Scan saved at 4:39:58 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {EDC82160-B7B4-1D94-4046-4CE63497A1E6} - newbreed.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - blank (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [FLKPT] 34763.exe
O4 - HKLM\..\Run: [WhatsNewBot] Dest068.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [killall] MSTCPDLL.exe
O4 - HKCU\..\Run: [zxc] bnui.exe
O4 - HKCU\..\Run: [bingo9] borlandg.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Webshots.zip
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.co...d-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,20/mcgdmgr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.parentwat.../video/push.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    Advertisements

Register to Remove

#2 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 13 December 2005 - 07:53 PM

Bump

#3 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 15 December 2005 - 08:00 PM

Bump

#4 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 December 2005 - 03:20 PM

Hello alton3692, welcome to the forum.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#5 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 17 December 2005 - 05:02 PM

Per LD Tate: New HJT log and ran Ewido and cleaned included scan report below

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:31:52 PM, 12/17/2005
+ Report-Checksum: 7D5C5699

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-3081151381-1890145375-615699809-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{869EE607-5376-486D-8DAC-EDC8E239AD5F} -> Not-A-Virus.Exploit.CHM : Cleaned with backup
HKU\S-1-5-21-3081151381-1890145375-615699809-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{869EE607-5376-486D-8DAC-EDC8E239AD5F} -> Not-A-Virus.Exploit.CHM : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.239:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.240:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.311:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-1.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Masterstats : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.322:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.330:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.370:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.392:C:\Documents and Settings\Alton\Application Data\Mozilla\Firefox\Profiles\kq4eix06.default\cookies-2.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\Documents and Settings\Alton\Cookies\alton@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Alton\Cookies\alton@news.com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Alton\Cookies\alton@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Mitchell\Application Data\Mozilla\Firefox\Profiles\7032y9al.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfk4qjczikq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfk4qkc5alq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfk4uodjsho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfkiggcpkhq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfkiwmcpsep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfkoeocjglo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfkogocjaco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wfkyqlc5cdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjkokgazelq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjkykicpkfo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjkyumazmeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjl4ood5obp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjl4spdpafp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjlocmcpobp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjlyagc5scp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjlyqoajchp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjny-1gdzwh.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjny-1najgd.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjnyahazaho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@e-2dj6wjnyalajcfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Mitchell\Cookies\mitchell@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\ms32.sys -> Downloader.Agent.tc : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\WINDOWS\SYSTEM32\filesafer23.exe -> Hijacker.Small : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 5:00:50 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - {EDC82160-B7B4-1D94-4046-4CE63497A1E6} - newbreed.dll (file missing)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [FLKPT] 34763.exe
O4 - HKLM\..\Run: [WhatsNewBot] Dest068.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dmnbz.exe] C:\WINDOWS\system32\dmnbz.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [killall] MSTCPDLL.exe
O4 - HKCU\..\Run: [zxc] bnui.exe
O4 - HKCU\..\Run: [bingo9] borlandg.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Webshots.zip
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.co...d-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134443724771
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,20/mcgdmgr.cab
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.parentwat.../video/push.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 December 2005 - 05:40 PM

I suggest you do this:


Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;

R3 - URLSearchHook: (no name) - {EDC82160-B7B4-1D94-4046-4CE63497A1E6} - newbreed.dll (file missing)

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [FLKPT] 34763.exe

O4 - HKLM\..\Run: [WhatsNewBot] Dest068.exe

O4 - HKLM\..\Run: [dmnbz.exe] C:\WINDOWS\system32\dmnbz.exe

O4 - HKCU\..\Run: [killall] MSTCPDLL.exe

O4 - HKCU\..\Run: [zxc] bnui.exe

O4 - HKCU\..\Run: [bingo9] borlandg.exe

O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.parentwat.../video/push.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138

O17 - HKLM\System\CS1\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138

O17 - HKLM\System\CS2\Services\Tcpip\..\{2D173AF0-50E1-43B3-8CB5-A715464EAB23}: NameServer = 85.255.115.44,85.255.112.138

Close ALL windows and browsers except HijackThis and click "Fix checked"


Restart in Safe Mode:
Restart your computer.

Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.



delete these files if listed:
C:\34763.exe
C:\Dest068.exe
C:\MSTCPDLL.exe
C:\bnui.exe
C:\borlandg.exe
C:\WINDOWS\system32\dmnbz.exe


Open C:\Windows\Prefetch\ Delete ALL files in this folder.



Do this also if these Temp Folders are part of your OS.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.


Next navigate to the C:\Documents and Settings\(EVERY LISTED PROFILE USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#7 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 17 December 2005 - 08:40 PM

Followed Directions, everything done except I did not see these files anywhere:
delete these files if listed:
C:\34763.exe
C:\Dest068.exe
C:\MSTCPDLL.exe
C:\bnui.exe
C:\borlandg.exe
C:\WINDOWS\system32\dmnbz.ex

Computer is acting normally.

Logfile of HijackThis v1.99.1
Scan saved at 8:32:21 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Webshots.zip
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Canasta by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: NASCAR Web Racing by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.co...e-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.co...d-ob-assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.co...a-ob-assets.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134443724771
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,20/mcgdmgr.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#8 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 December 2005 - 08:42 PM

Good Job :thumbup:


Log looks good :D :thumbup: How is it running any issues?

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#9 alton3692

alton3692

    Authentic Member

  • Authentic Member
  • PipPip
  • 24 posts

Posted 17 December 2005 - 08:51 PM

It seems to be running just fine. Thanks so much. I will go to the site you recommend and get a firewall. Also, will add the spyware programs you recommend. Again, thanks for the help.. Without your guidance, it was a lost cause..

#10 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 December 2005 - 08:51 PM

Great job :thumbup: You're more then welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

#11 LDTate

LDTate

    Grand Poobah

  • Root Admin
  • 57,211 posts

Posted 17 December 2005 - 08:52 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·